Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Paying for Flaws Pays Off for iDefense

iDefense releases a reverse-engineering tool to the open-source community and triggers a debate on whether information on unpatched security vulnerabilities should be purchased.

Internet security specialist iDefense Inc. has released a reverse-engineering tool to the open-source community as part of its controversial strategy of buying the rights to information on security flaws found by underground researchers.

The decision to roll out the IDA Sync tool was driven by a need to "contribute to the cycle" of making flaw-finding easier for the private individuals who participate in iDefenses VCP (Vulnerability Contributor Program).

The 3-year-old VCP involves financial incentives to anonymous researchers who agree to give up exclusive rights to advance notification of unpublished vulnerabilities or exploit code to iDefense.

Michael Sutton, director of iDefense Labs, said the wild success of the program has driven the company to release tools like IDA Sync, which is used to allow multiple analysts to synchronize their reverse-engineering efforts in real-time within the IDA Pro disassembler.

In an interview with eWEEK.com, Sutton said groups of researchers can use the IDA Sync plug-in to connect to the disassembler and share comments and name changes.

"A large group of researchers can now pick apart a program and share their findings with each other right within IDA Pro, which is the de-facto standard for disassembling within Windows," Sutton said.

In addition to IDA Sync, iDefense has previously released tools such as IDA pGRAPH, a plug-in that generates control-flow graphs; IDA Function Analyzer, a IDA C++ plug-in designed to provide an abstracted layer over "chunked" functions; and the Attack Vector Test Platform, a tool that was used in the research for the paper titled "A Comparison of Buffer Overflow Prevention Implementations and Weaknesses."

Flaw-finding has generated big business—and invaluable publicity—for the Reston, Va.-based iDefense. So far this year, the company is credited with the responsible disclosure of 36 security bulletins, including major flaws in products sold by Computer Associates International Inc., RealNetworks Inc. and Apple Computer Inc.

Sutton said that more than 80 percent of all vulnerabilities reported by iDefense were purchased from private, sometimes anonymous, software researchers.

"Well pay for the exclusive intellectual property rights to the research, and this program works for everyone. The researchers make money for their work, the vendors get the benefit of responsible advance notices, and the end users get well-tested patches."